[oneiric CVE 1/1] overlayfs: apply device cgroup and security permissions to overlay files
Andy Whitcroft
apw at canonical.com
Wed Jan 18 17:45:17 UTC 2012
When checking permissions on an overlayfs inode we do not take into
account either device cgroup restrictions nor security permissions.
This allows a user to mount an overlayfs layer over a restricted device
directory and by pass those permissions to open otherwise restricted
files.
Use devcgroup_inode_permission() and security_inode_permission() against
the underlying inodes when calculating ovl_permission().
CVE-2012-0055
BugLink: http://bugs.launchpad.net/bugs/915941
BugLink: http://bugs.launchpad.net/bugs/918212
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
fs/overlayfs/inode.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index ce39fab..1551032 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -10,6 +10,8 @@
#include <linux/fs.h>
#include <linux/slab.h>
#include <linux/xattr.h>
+#include <linux/device_cgroup.h>
+#include <linux/security.h>
#include "overlayfs.h"
int ovl_setattr(struct dentry *dentry, struct iattr *attr)
@@ -118,6 +120,11 @@ int ovl_permission(struct inode *inode, int mask, unsigned int flags)
else
err = generic_permission(realinode, mask, flags,
realinode->i_op->check_acl);
+
+ if (!err)
+ err = devcgroup_inode_permission(realinode, mask);
+ if (!err)
+ err = security_inode_permission(realinode, mask);
out_dput:
dput(alias);
return err;
--
1.7.5.4
More information about the kernel-team
mailing list